- Arch-security - lists.archlinux.org

[arch-security] [Arch Linux Security Advisory ASA-201411-5] konversation: denial of service
by Levente Polyak 09 Nov '14

09 Nov '14

Arch Linux Security Advisory ASA-201411-5 ========================================= Severity: Low Date : 2014-11-09 CVE-ID : CVE-2014-8483 Package : konversation Type : denial of service Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package konversation before version 1.5.1-1 is vulnerable to denial of service. Resolution ========== Upgrade to 1.5.1-1. # pacman -Syu "konversation>=1.5.1-1" The problem has been fixed upstream [0] in version 1.5.1. Workaround ========== None. Description =========== Konversation's Blowfish ECB encryption support assumes incoming blocks to be the expected 12 bytes. The lack of a sanity-check for the actual size can cause a denial of service and an information leak to the local user. Impact ====== When using Blowfish ECB encryption with another party (an IRC channel or user), sending malformed blocks to konversation can result in a crash or an information leak up to 11 bytes to the local user, due to an out-of-bounds read on a heap-allocated array. References ========== [0] https://github.com/quassel/quassel/commit/8b5ecd https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8483 https://bugs.archlinux.org/task/42698 https://www.kde.org/info/security/advisory-20141104-1.txt

1 0

[arch-security] [Arch Linux Security Advisory ASA-201411-4] polarssl: multiple issues
by Levente Polyak 06 Nov '14

06 Nov '14

Arch Linux Security Advisory ASA-201411-4 ========================================= Severity: Medium Date : 2014-11-06 CVE-ID : CVE-2014-8627, CVE-2014-8628 Package : polarssl Type : multiple issues Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package polarssl before version 1.3.9-1 is vulnerable to multiple issues including weak signature negotiation and remotely triggerable memory leaks. Resolution ========== Upgrade to 1.3.9-1. # pacman -Syu "polarssl>=1.3.9-1" The problem has been fixed upstream in version 1.3.9. Workaround ========== None. Description =========== - CVE-2014-8627 (weak signature negotiation) A mistake resulted in servers negotiating the lowest common hash from signature_algorithms extension in TLS 1.2. - CVE-2014-8628 (memory leaks) Two issues were found that result in remotely triggerable memory leaks when parsing crafted ClientHello messages or X.509 certificates. Impact ====== A remote attacker is able to trigger memory leaks which may result in memory exhaustion and therefore denial of service. Additionally due to weak negotiated signature algorithms an attacker may be able to perform cryptographic attacks. References ========== https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8627 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8628 http://www.openwall.com/lists/oss-security/2014/11/04/6 https://github.com/polarssl/polarssl/commit/480905 https://github.com/polarssl/polarssl/commit/43c3b28 https://github.com/polarssl/polarssl/commit/5d8618

1 0

[arch-security] [Arch Linux Security Advisory ASA-201411-3] mantisbt: sql injection
by Levente Polyak 05 Nov '14

05 Nov '14

Arch Linux Security Advisory ASA-201411-3 ========================================= Severity: Critical Date : 2014-11-05 CVE-ID : CVE-2014-8554 Package : mantisbt Type : sql injection Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package mantisbt before version 1.2.17-3 is vulnerable to SQL injection. Resolution ========== Upgrade to 1.2.17-3. # pacman -Syu "mantisbt>=1.2.17-3" The problem has been fixed upstream [0] but no release version is available yet. Workaround ========== None. Description =========== Edwin Gozeling and Wim Visser discovered that when the project_id parameter of the SOAP-request starts with the integer of a project to which the user (or anonymous) is authorized, the ENTIRE value will become the first item of $t_projects. As this value is concatenated in the SQL statement, SQL-injection becomes possible. Impact ====== A remote attacker is able to perform SQL injection via specially crafted SOAP-requests. Depending on the configuration this can be escalated to code execution. References ========== [0] https://github.com/mantisbt/mantisbt/commit/99ffb0af https://access.redhat.com/security/cve/CVE-2014-8554 http://seclists.org/oss-sec/2014/q4/478 https://bugs.archlinux.org/task/42683

1 0

[arch-security] [Arch Linux Security Advisory ASA-201411-2] aircrack-ng: multiple vulnerabilities
by Levente Polyak 03 Nov '14

03 Nov '14

Arch Linux Security Advisory ASA-201411-2 ========================================= Severity: Critical Date : 2014-11-03 CVE-ID : CVE-2014-8321, CVE-2014-8322, CVE-2014-8323, CVE-2014-8324 Package : aircrack-ng Type : multiple vulnerabilities Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package aircrack-ng before version 1.2rc1-1 is vulnerable to multiple security issues which may result in remote/local code execution, privilege escalation and denial of service. Resolution ========== Upgrade to 1.2rc1-1. # pacman -Syu "aircrack-ng>=1.2rc1-1" The problem has been fixed upstream in version 1.2rc1. Workaround ========== None. Description =========== Nick Sampanis discovered the following vulnerabilities: - CVE-2014-8321 (code execution and privilege escalation) A stack overflow at airodump-ng gps_tracker() which may lead to code execution and privilege escalation. - CVE-2014-8322 (remote code execution) A length parameter inconsistency at aireplay tcp_test() which may lead to remote code execution. - CVE-2014-8323 (denial of service) A missing check for data format at buddy-ng which may lead to denial of service. - CVE-2014-8324 (denial of service) A missing check for invalid values at airserv-ng net_get() which may lead to denial of service. Impact ====== A remote attacker in an adjacent network is able to perform code execution, privilege escalation and denial of service via multiple vulnerabilities. References ========== http://www.securityfocus.com/archive/1/533869/30/0/threaded https://access.redhat.com/security/cve/CVE-2014-8321 https://access.redhat.com/security/cve/CVE-2014-8322 https://access.redhat.com/security/cve/CVE-2014-8323 https://access.redhat.com/security/cve/CVE-2014-8324 https://github.com/aircrack-ng/aircrack-ng/commit/ff70494dd https://github.com/aircrack-ng/aircrack-ng/commit/091b153f2 https://github.com/aircrack-ng/aircrack-ng/commit/da0872389 https://github.com/aircrack-ng/aircrack-ng/commit/88702a3ce

1 0

[arch-security] [Arch Linux Security Advisory ASA-201411-1] tnftp: arbitrary command execution
by Levente Polyak 01 Nov '14

01 Nov '14

Arch Linux Security Advisory ASA-201411-1 ========================================= Severity: High Date : 2014-11-01 CVE-ID : CVE-2014-8517 Package : tnftp Type : arbitrary command execution Remote : No Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package tnftp before version 20141031-1 is vulnerable to arbitrary command execution. Resolution ========== Upgrade to 20141031-1. # pacman -Syu "tnftp>=20141031-1" The problem has been fixed upstream in version 20141031. Workaround ========== Specifying the output filename with -o when using tnftp with HTTP will prevent from arbitrary command execution. Description =========== A malicious webserver can trick tnftp below 20141031 via HTTP redirects into executing arbitrary commands. Impact ====== A malicious webserver can create an evil redirect which will execute arbitrary commands when a local user fetches that URL with tnftp. References ========== http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8517 https://bugzilla.redhat.com/show_bug.cgi?id=1158286 https://bugs.archlinux.org/task/42646 http://seclists.org/oss-sec/2014/q4/459

1 0

[arch-security] [Arch Linux Security Advisory ASA-201410-14] wget: arbitrary filesystem access
by Remi Gacogne 29 Oct '14

29 Oct '14

Arch Linux Security Advisory ASA-201410-14 ========================================== Severity: Medium Date : 2014-10-29 CVE-ID : CVE-2014-4877 Package : wget Type : arbitrary filesystem access Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package wget before version 1.16-2 is vulnerable to arbitrary filesystem access. Resolution ========== Upgrade to 1.16-2. # pacman -Syu "wget>=1.16-2" The problem has been fixed upstream in version 1.16. Workaround ========== Do not use the --retr-symlinks=yes option when recursively retrieving a directory from an untrusted FTP server or over an untrusted connection. Description =========== It was found that wget was susceptible to a symlink attack which could create arbitrary files, directories or symbolic links and set their permissions when retrieving a directory recursively through FTP. By default, when retrieving ftp directories recursively and a symbolic link is encountered, the symbolic link is traversed and the pointed-to files are retrieved. This option poses a security risk where a malicious FTP Server may cause Wget to write to files outside of the intended directories through a specially crafted .listing file. Impact ====== A malicious FTP server or a malicious attacker in position of man-in-the-middle could create arbitrary files, directories or symbolic links and set their permissions when retrieving a directory recursively through FTP. References ========== http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4877 https://bugzilla.redhat.com/show_bug.cgi?id=1139181 http://seclists.org/oss-sec/2014/q4/453

1 0

[arch-security] [Arch Linux Security Advisory ASA-201410-13] ejabberd: circumvention of encryption
by Levente Polyak 27 Oct '14

27 Oct '14

Arch Linux Security Advisory ASA-201410-13 ========================================== Severity: High Date : 2014-10-27 CVE-ID : CVE-2014-8760 Package : ejabberd Type : circumvention of encryption Remote : No Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package ejabberd before version 14.07-2 allows clients to connect with an unencrypted connection even if starttls_required is set. Resolution ========== Upgrade to 14.07-2. # pacman -Syu "ejabberd>=14.07-2" The problems have been fixed upstream [0] but no release version is available yet. Workaround ========== Disable compression ('zlib' in c2s configuration) and find affected users with: # ejabberdctl connected_users_info | grep 'c2s_compressed\s' You may kick affected user sessions and they should be able to reconnect with encryption and without compression. Description =========== It was discovered that ejabberd does not enforce the starttls_required setting when compression is used, which causes clients to unexpectedly establish connections without encryption. Impact ====== A local user can unexpectedly connect without any encryption and send sensitive information in plaintext to the server even if encryption was set as required. References ========== [0] https://github.com/processone/ejabberd/commit/7bdc115 http://mail.jabber.org/pipermail/operators/2014-October/002438.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8760 https://bugs.archlinux.org/task/42541

1 0

[arch-security] [Arch Linux Security Advisory ASA-201410-12] libxml2: Denial of service
by Levente Polyak 24 Oct '14

24 Oct '14

Arch Linux Security Advisory ASA-201410-12 ========================================== Severity: Medium Date : 2014-10-24 CVE-ID : CVE-2014-0191, CVE-2014-3660 Package : libxml2 Type : Denial of service Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package libxml2 before version 2.9.2-1 is vulnerable to denial of service, even if entity substitution is disabled. Resolution ========== Upgrade to 2.9.2-1. # pacman -Syu "libxml2>=2.9.2-1" The problems have been fixed upstream [0][1] in version 2.9.2. Workaround ========== None. Description =========== Daniel Berrange discovered that libxml2 incorrectly performs entity substitution in the doctype prolog, even if the application using libxml2 disabled any entity substitution. A remote attacker could provide a specially crafted XML file that, when processed, leads to the exhaustion of CPU and memory resources or file descriptors. Impact ====== A remote attacker is able to exploit this vulnerability using a specially crafted XML document containing malicious attributes to consume all available CPU and memory resources or file descriptors. References ========== [0] https://git.gnome.org/browse/libxml2/commit/?id=9cd1c [1] https://git.gnome.org/browse/libxml2/commit/?id=be2a7 https://access.redhat.com/security/cve/CVE-2014-0191 https://access.redhat.com/security/cve/CVE-2014-3660 https://bugs.archlinux.org/task/40790 http://www.openwall.com/lists/oss-security/2014/05/06/4

1 0

[arch-security] [Arch Linux Security Advisory ASA-201410-11] ctags: Denial of service
by Levente Polyak 24 Oct '14

24 Oct '14

Arch Linux Security Advisory ASA-201410-11 ========================================== Severity: Medium Date : 2014-10-24 CVE-ID : CVE-2014-7204 Package : ctags Type : Denial of service Remote : No Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package ctags before version 5.8-5 is vulnerable to denial of service. Resolution ========== Upgrade to 5.8-5. # pacman -Syu "ctags>=5.8-5" The problem has been fixed upstream [0] but no release version is available yet. Workaround ========== None. Description =========== Stefano Zacchiroli discovered a vulnerability in ctags, a tool to build tag file indexes of source code definitions: Certain JavaScript files cause ctags to enter an infinite loop until it runs out of disk space, resulting in denial of service. Impact ====== A local user can run out of disk space resulting in denial of service after running ctags on JavaScript files from an affected or specially prepared public repository. References ========== [0] http://sourceforge.net/p/ctags/code/791/ https://access.redhat.com/security/cve/CVE-2014-7204 https://bugs.archlinux.org/task/42246 http://www.openwall.com/lists/oss-security/2014/09/29/40

1 0

[arch-security] [Arch Linux Security Advisory ASA-201410-10] libvncserver: remote code execution, denial of service
by Remi Gacogne 24 Oct '14

24 Oct '14

Arch Linux Security Advisory ASA-201410-10 ========================================== Severity: Critical Date : 2014-10-24 CVE-ID : CVE-2014-6051, CVE-2014-6052, CVE-2014-6053, CVE-2014-6054, CVE-2014-6055 Package : libvncserver Type : Remote code execution, Denial of service Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package libvncserver before version 0.9.10-1 is vulnerable to remote code execution client-side, and denial of service server-side. Resolution ========== Upgrade to 0.9.10-1. # pacman -Syu "libvncserver>=0.9.10-1" The problem has been fixed upstream in version 0.9.10. Workaround ========== None. Description =========== CVE-2014-6051 Integer overflow in MallocFrameBuffer() on client side. A malicious VNC server could advertise a very large screen size (by RFB protocol, width and height are 16-bit integers), resulting in an integer overflow during malloc() on client-side. Heap corruption, and possibly remote code execution on client-side could ensue. CVE-2014-6052 Lack of malloc() return value checking on client side. malloc() return value was not checked on client-side during framebuffer setup. A malicious VNC server that advertises a large enough screen size to make malloc() fail could basically map the framebuffer at address 0, and write anything-anywhere in client process memory using selective FramebufferUpdate messages. This could certainly turn into remote code execution on client-side. CVE-2014-6053 Server crash on a very large ClientCutText message. A malicious client could advertise a very large ClientCutText message size (by RFB protocol, size is encoded on a 32-bit integer). malloc() is likely to fail in that case; as malloc() return value is not checked, this will most likely result in a server crash. CVE-2014-6054 Server crash when scaling factor is set to zero. A malicious client could set the scaling factor to 0, which will result in a server crash (division by zero). CVE-2014-6055 Multiple stack overflows in File Transfer feature. 1/ The non-standard file transfer messages (UltraVNC feature) will blindly strcpy() client-provided file and directory names into a stack-based buffer of size MAX_PATH, resulting in multiple stack-based buffer overflows on server-side. 2/ Client-supplied FileTime attribute is copied into a stack-based buffer of size 64 during rfbFileTransferOffer message parsing, resulting in a stack-based buffer overflow on server-side. Impact ====== A malicious server or an attacker in position of man-in-the-middle could remotely execute arbitrary code on a vulnerable client. A malicious client or an attacked in position of man-in-the-middle could remotely crash a vulnerable server. References ========== https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6051 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6052 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6053 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6054 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6055 http://seclists.org/oss-sec/2014/q3/639 https://bugs.archlinux.org/task/42321

1 0